Upload
vanmien
View
218
Download
4
Embed Size (px)
Citation preview
CHAPTER OUTLINE
3.1 Ethical Issues 3.2 Threats to Information Security 3.3 Protecting Information Resources
LEARNING OBJECTIVES
n Describe the major ethical issues related to information technology and identify situations in which they occur.
n Describe the many threats to information security.
n Understand the various defense mechanisms used to protect information systems.
n Explain IT auditing and planning for disaster recovery.
The Four Categories of Ethical Issues
n Privacy Issues n Accuracy Issues n Property Issues n Accessibility Issues
Privacy
n Privacy. The right to be left alone and to be free of unreasonable personal intrusions.
n Court decisions have followed two rules: (1) The right of privacy is not absolute.
Your privacy must be balanced against the needs of society.
(2) The public’s right to know is superior to the individual’s right of privacy.
Threats to Privacy
n Data aggregators, digital dossiers, and profiling
n Electronic Surveillance n Personal Information in Databases n Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
Electronic Surveillance
n See "The State of Surveillance" article in BusinessWeek
n See the surveillance slideshow n See additional surveillance slides n And you think you have privacy? (video) n Sense-through-the-Wall
Personal Information in Databases
n Banks n Utility companies n Government agencies n Credit reporting agencies
Social Networking Sites Can Cause You Problems Anyone can post derogatory information about
you anonymously. (See this Washington Post article.) You can also hurt yourself, as this article
shows.
What Can You Do?
First, be careful what information you post on social networking sites.
Second, a company, ReputationDefender, says
it can remove derogatory information from the Web.
Factors Increasing the Threats to Information Security n Today’s interconnected, interdependent,
wirelessly-networked business environment n Government legislation n Smaller, faster, cheaper computers and
storage devices n Decreasing skills necessary to be a computer
hacker
Factors Increasing the Threats to Information Security (continued) n International organized crime turning to
cybercrime n Downstream liability n Increased employee use of unmanaged
devices n Lack of management support
Key Information Security Terms
n Threat n Exposure n Vulnerability n Risk n Information system controls
Categories of Threats to Information Systems
n Unintentional acts n Natural disasters n Technical failures n Management failures n Deliberate acts (from Whitman and Mattord, 2003) Example of a threat (video)
Unintentional Acts
n Human errors n Deviations in quality of service by service
providers (e.g., utilities) n Environmental hazards (e.g., dirt, dust,
humidity)
Human Errors
n Tailgating n Shoulder surfing n Carelessness with laptops and portable
computing devices n Opening questionable e-mails n Careless Internet surfing n Poor password selection and use n And more
Social Engineering
n 60 Minutes Interview with Kevin Mitnick, the “King of Social Engineering”
n Kevin Mitnick served several years in a federal prison. Upon his release, he opened his own consulting firm, advising companies on how to deter people like him, n See his company here
Deliberate Acts
n Espionage or trespass n Information extortion n Sabotage or vandalism n Theft of equipment or information
n For example, dumpster diving
Deliberate Acts (continued)
n Software attacks n Virus n Worm
n 1988: first widespread worm, created by Robert T. Morris, Jr.
n (see the rapid spread of the Slammer worm) n Trojan horse n Logic Bomb
n Software attacks (continued) n Phishing attacks
n Phishing slideshow n Phishing quiz n Phishing example n Phishing example
n Distributed denial-of-service attacks n See botnet demonstration
Deliberate Acts (continued)
Is the email really from eBay, or PayPal, or a bank? As Spammers get better, their emails look
more genuine. How do you tell if it’s a scam and phishing for personal information? Here’s how ...
Is the email really from eBay, or PayPal, or a bank?
As an example, here is what the email said: n Return-path: <[email protected]> n From: "PayPal"<[email protected]> n Subject: You have 1 new Security Message Alert !
Note that they even give advice in the right column about security
How to see what is happening View Source n In Outlook, right click on email, click ‘view source’ n In GroupWise, open email and click on the Message Source tab n In Mozilla Thunderbird, click on View, and Source. n Below is the part of the text that makes the email look official –
the images came from the PayPal website.
View Source – The Real Link
n In the body it said, “If you are traveling, “Travelling Confirmation Here”
n Here is where you are really being sent n href=3D
ftp://futangiu:[email protected]/index.htm n Notice that the link is not only not PayPal, it is an
IP address, 2 giveaways of a fraudulent link.
Deliberate Acts (continued)
n Alien Software n Spyware (see video) n Spamware n Cookies
n Cookie demo
Deliberate Acts (continued)
n Supervisory control and data acquisition (SCADA) attacks
Wireless sensor
Controls
n Physical controls n Access controls n Communications (network) controls n Application controls
Access Controls
n Authentication n Something the user is (biometrics)
n Video on biometrics n The latest biometric: gait recognition n The Raytheon Personal Identification Device
n Something the user has n Something the user does n Something the user knows
n passwords n passphrases
Communication or Network Controls
n Firewalls n Anti-malware systems
n Whitelisting and Blacklisting n Intrusion detection systems n Encryption
Communication or Network Controls (continued)
n Virtual private networking n Secure Socket Layer (now transport layer
security) n Vulnerability management systems n Employee monitoring systems
IS Auditing Procedure
n Auditing around the computer n Auditing through the computer n Auditing with the computer